Knowledge Search


How do I interpret the snoop output?

  [KB6708] Show Article Properties


What do the fields vhl, tos, id, frag, etc indicate in the snoop output?

  • How do I read the snoop trace?
  • What is the meaning of the field frag= in the snoop output?


To explain the various SNOOP output fields, it is best to use an example. 

Sample SNOOP Output:
Line 1 35455.0:  ethernet1(i) len=74:0010db1c5921->0010db1b44b4/0800
Line 2>
Line 3   vhl=45, tos=00, id=49627, frag=0000, ttl=63, tlen=128
Line 4   icmp:type=8, code=0
Line 1 35455.0: ethernet2(o) len=74:0010db1b44ba->0010db21be61/0800
Line 2>
Line 3   vhl=45, tos=00, id=49627, frag=0000, ttl=62, tlen=128
Line 4   icmp:type=8, code=0

Interpreting Line 1:

35455.0 Timer - this is the number, in seconds, since the last time the firewall was booted.
ethernet1( i )

Interface (direction) - where:
( i ) = incoming
( o ) = outgoing

len=74 ethernet frame length
0010db1c5921 Source MAC address
0010db1b44b4 Destination MAC address
0800 Protocol Type

Interpreting Line 2:   Source IP address    Destination IP address
1 Protocol (ICMP in this example)

Interpreting Line 3:

vhl version/header length - IP version 4   and   5 32 bit words
tos Type of service - this is not precedence or QOS bits set
id=49627 Datagram ID
frag=0000 IP fragmentation fields in Hex (16-bits)
 1-bit   = reserved (not used)
 1-bit   = DF bit
 1-bit   = more-frags (0 for last fragment, 1 for all others)
 13-bit = fragment offset (multiply by 8 for bytes offset)

For example:
frag=2000  (0010 0000 0000 0000)
 more-frag set + 0 offset: this is the first fragment of packet.

frag=4000  (0100 0000 0000 0000)
 DF set: packet not fragmented.

frag=00b9  (0000 0000 1011 1001)
 more-frag not set: this is the last fragment.
 offset field  (...0 0000 1011 1001) = 185,
  - multiply by 8 = 1480 bytes offset.
ttl=63 time to live value
tlen=128 Total datagram length (bytes)

Interpreting Line 4:

icmp Key protocol header fields.

For traffic incoming to an interface (i.e. ethernet1(i):), the Destination MAC would be the MAC address of the Firewall interface.  For traffic outgoing from an interface, the Source MAC is the MAC address of the Firewall interface that traffic is egressing from. 



Related Links: